1. Ads and TOS agreements
One popular way for malware writers to siphon money from your smartphone or tablet is to insert malicious ads and Term of Service (TOS) agreements into apps.
“In 99 percent of the SMS malware we see, apps actually request the permission to send text messages,” said Tim Armstrong, malware analyst for Kaspersky Lab. “People are just so conditioned to click through all these screens just to get to the end of the install that they don’t review any of the permissions, and a lot of times they’re giving away the right to charge them money.”
2. Unregulated app markets
The jury is out when it comes to Apple versus Android, but there’s one advantage that iPhones have over phones running Google’s OS. Apple’s App Store exerts much tighter controls over incoming apps, requiring developers to undergo a rigorous approval process. However, Google isn’t sitting still. It recently launched its Bouncer system, which is designed to search for malicious code in a new app before it’s admitted to the Android Market. And the company claims that since its launch, malware in the store has dropped 40 percent. Unfortunately, the problem of malicious apps is even more prevalent in third-party app stores, which often stock repackaged versions of popular apps that—you guessed it—include malware.
3. SMS trojans
Essentially mobile pickpocketing, this threat comes in the form of apps that, once downloaded, send text messages or make calls to premium-rate phone numbers from your smartphone, stealing money from your account in the process. The malicious app may pose as an SMS managing service, or it may look like it has a completely different purpose based on its listing in the app store. However, according to Armstrong, SMS Trojans are more prevalent in Europe and Canada than in the U.S., as our SMS systems are configured differently.
4. Software flaws and out-of-date OSes
Malware writers aren’t the only ones responsible for mobile security vulnerabilities; sometimes it’s the phone manufacturers themselves that unintentionally push flawed code to handsets. For example, in October 2011, the AT&T version of the Samsung Galaxy S II was found to have a gaping security flaw: If the pattern unlock screen timed out, waking it up would grant access to the phone, bypassing the need to enter a PIN number.
Though Samsung and other companies offer software updates to fix such security flaws, they don’t always apply to every version of an operating system. As Kaspersky’s Armstrong explained, “There are all these different models out there, all running different versions of the Android operating system. Unless you’re buying a new phone or device every six months, a lot of the time you’re not going to get the latest version of the operating system with the security patches.” According to Armstrong, the most popular version of the Android smartphone OS is currently 2.2 (Froyo). The most recent version (as of press time) is 4.0 (Ice Cream Sandwich).
5. Mobile payment systems
NFC (Near Field Communication) technology lets you pay for items using your smartphone, which, as Google Wallet has demonstrated, can be extremely convenient. As of press time, though, Google Wallet had been hacked twice and, after briefly suspending issuing new prepaid cards, fixed the service.
Google, using lesser-known payment systems, could give scammers access to your digital wallet also. NFC payment programs tend to be the most secure, as they generally entail partnerships with high-profile companies that take encryption seriously, such as Visa.
“Retailers are scared about waiters and waitresses at restaurants walking away with your credit card, scanning it once for themselves and then scanning it once to actually pay for your meal,” explained Armstrong. “There’s a danger of skimming there. Mobile payment devices like Square are so small and you’re putting a lot of capabilities in other people’s hands.”